06 Dec Implementing ERM in 2018
The new year naturally acts as an inflection point in our lives: A time when we decide emphatically that the mistakes of yesterday are no more and from this moment forward we will (insert your New Year’s resolution here). Oftentimes, these resolutions are a way of forcing ourselves to tackle things that we’ve been avoiding because they are difficult or require a significant change in our lives. In 2018, we suggest extending your resolutions beyond your personal life by considering which tasks at work are overlooked or forgotten due to their overwhelming nature. Our suggestion: Enterprise Risk management (ERM).
Risk is everywhere. The acceleration of technology and the speed and complexity of cybersecurity risk, coupled with growing market volatility and greater pressure from regulators, are only a few examples of the overwhelming need for a proactive approach to risk management.
Unfortunately, risk management is often executed poorly – or not at all. Only a quarter of organizations are using an enterprise-wide risk management program in a fully integrated way, according to the 2017 Enterprise Risk Management Benchmark Survey from the Risk Management Society. As you consider how to bring your resolution to fruition, consider implementing an ERM program. An effective ERM program and culture not only protects your organization’s assets and reduces the volatility of outcomes, it also helps you proactively address obstacles standing in the way of achieving your goals.
Easier said than done, of course. Devoting resources, developing a robust framework, communicating a succinct strategy, and continuously monitoring that strategy are but a few steps that can dissuade anyone from such an undertaking. However, like with any problem, approaching the implementation one step at a time will drastically improve the likelihood of success. Here’s what we suggest:
1. Define your organization’s strategic initiatives and their objectives.
The best place to start is to clearly define the current initiatives within your organization and the objectives of those initiatives. As simple as it sounds, doing so will enable you and the different business units across your organization to assess your current state and align the organizations’ overall risk profile to fit the strategy.
2. Understand the drivers for change within your organization
It is crucial to gain a thorough understanding of why change is necessary within your organization and what factors are driving the change. This will enable you to illustrate the value that an ERM program can add to your organization.
3. Develop a strong communication strategy.
Providing accurate, timely, and relevant communications is a critical component in building and sustaining a successful ERM program. In fact, it is often the key differentiator in management’s perception and understanding of ERM value creation. We believe an ERM program communications plan should be part of an overall effort to support strategic decision making and positively impact behaviors and the overall risk culture.
4. Identify and utilize existing controls.
There are surely processes in place throughout your organization that you can leverage to support your ERM initiative right off the bat. It will be incumbent on the above-mentioned risk masters to first identify these controls, and next adapt them to fit the overall strategy of the organization.
5. Define roles and responsibilities.
Your success will ultimately depend on getting the right people in the right positions to encourage best risk practices. Establishing a network of personnel who are responsible for monitoring and managing risks, and encouraging those people to communicate frequently will serve to keep risk a priority. Further, it will provide a platform to discuss best practices between business units that support the strategic initiatives and proactively confront risk.
6. Drive results.
The overall goal is to develop an ERM program that is sustainable. Like any other initiative, it is necessary to illustrate the positive effect that it has on the organization. A great way to do this is by developing specific goals for each of the “risk managers” and reporting on these goals as part of their normal business process. Not only will this drive effectiveness of the overall program, it will keep senior management aware of the progress and thus the benefit of the program.
Whether you have an existing ERM program that isn’t thriving, or you have yet to implement an ERM program, these steps are the best place to start. If you want to discuss them in more detail, please reach out to me at 484.383.0606 or firstname.lastname@example.org.